Filter Articles

Business Guidance for WannaCry Attacks

After the events of Friday where thousands of computers were infected with the WannaCry Ransomware, many were left wondering what they should do now. SBRC brings you the most up to date information on how to keep your business safe.

Key Protect messages for businesses to protect themselves from ransomware:

The first thing to do is to check that all Microsoft Updates have been applied. Microsoft issued a patch to close the vulnerability that allows this virus to spread in mid-March, this update is called Microsoft Bulletin MS17-010 and details can be found here https://technet.microsoft.com/en-us/library/security/ms17-010.aspx. The next step is to update your Anti-Virus software. Hopefully all Anti-Virus software vendors have updated their software to catch this virus.

This next step is to ensure that you have a recent backup in place. The only way to restore your system if hit with ransomware is to restore the system to the last good backup.

Please be aware that it’s not only machines that are running Windows XP that are vulnerable to this virus, it’s all machines running Windows operating systems that have not had the security patch issued in March applied.

If you have already been infected with the virus, disconnect the network cable to help prevent further spread of the virus across the network. It will then be necessary to “re-image” the machine. This involves re installing the operating system, applying all the necessary updates and then restoring to from a backup.

If it is not possible for some reason to apply the updates it is important to switch off the SMBv1 protocol. This is a protocol that helps with sharing files over a network and is the protocol that is being used to spread the virus. If you are unsure how to do this, contact your IT support provider to ask them how.

Finally, now is a good time to remind staff about the risks of clicking on links and attachments in emails, particularly from unknown senders.

Advice from Microsoft Security Response Centre

• In March, we released a security update which addresses the vulnerability that these attacks are exploiting. Those who have Windows Update enabled are protected against attacks on this vulnerability. For those organizations who have not yet applied the security update, we suggest you immediately deploy Microsoft Security Bulletin MS17-010.• For customers using Windows Defender, we released an update earlier today which detects this threat as Ransom:Win32/WannaCrypt. As an additional “defense-in-depth” measure, keep up-to-date anti-malware software installed on your machines. Customers running anti-malware software from any number of security companies can confirm with their provider, that they are protected.This attack type may evolve over time, so any additional defense-in-depth strategies will provide additional protections. (For example, to further protect against SMBv1 attacks, customers should consider blocking legacy protocols on their networks).

What to do if your organisation has been infected with ransomware

If you need to know more about ransomware and its effects, or you have a ransomware issue, there are a number of sources of further advice and guidance:

• The City of London Police’s National Fraud Intelligence Bureau has issued an alert urging both individuals and businesses to follow protection advice immediately and in the coming days. Ransomware Incident • The National Crime Agency encourages anyone who thinks they may have been subject to online fraud to contact Action Fraud at www.actionfraud.police.uk. It is a matter for the victim whether to pay the ransom, but the NCA encourages industry and the public not to pay.• The National Cyber Security Centre (NCSC) runs a commercial scheme called Cyber Incident Response, where certified companies provide crisis support to affected organisations.• The Cyber Security Information Sharing Partnership (CiSP) offers organisations in the UK a safe portal in which to discuss and share intelligence that can assist the community and raise the UK's cyber resilience. We encourage our members to share technical information and indicators of compromise so that the effects of new malware, and particularly ransomware, can be largely reduced. For more information contact Graham Bye, Scottish CISP Coordinator.